OUR PRIVACY PRACTICES NOTICE

Effective Date: March 2026  |  Version 1.0

Important Notice Regarding Our Role: Precision Pediatric Operations (PPO) is a HIPAA Business Associate — not a Covered Entity. We do not provide direct patient care and only provide consulting and advocacy services direct to patients. This Notice describes how PPO handles protected health information (PHI) received from our client Covered Entities (physician practices and DME companies) in the course of providing prior authorization management services and how PPO handles patient PHI received directly from patients in the course of our authorization management and advocacy services. This notice is provided to client practices and is available to patients upon request through their treating provider as well as on our website.


Who We Are

Precision Pediatric Operations is a Virginia-based prior authorization management company providing services to physician practices, durable medical equipment (DME) companies, and to individual clients as authorization approval advocates. We are a division of Morris Capital Consultants LLC, a Virginia limited liability company headquartered in Spotsylvania County, Virginia. In performing our services, we act as a Business Associate under HIPAA and handle PHI solely on behalf of and under the direction of our client Covered Entities and direct from clients where necessary to perform our authorization and advocacy services.

Our Privacy Commitment

Precision Pediatric Operations is committed to protecting the privacy and security of all protected health information entrusted to us by our clients and client practices. We understand that PHI represents some of the most sensitive personal information in existence, and we treat it with the highest level of care, discretion, and professionalism in every aspect of our operations.

We are required by law to maintain the privacy of PHI, to provide this notice of our privacy practices, and to abide by the terms of this notice. We are directly subject to the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HITECH Act.

How We Use and Disclose Protected Health Information

Permitted Uses and Disclosures

PPO uses and discloses PHI only as permitted by our Business Associate Agreement (BAA) with each client practice and as allowed under the HIPAA Privacy Rule with direct medical releases from our clients. Our permitted uses and disclosures include:

  • Healthcare Operations — Prior Authorization Management: We use PHI to submit prior authorization requests, track authorization status, manage denials, draft and submit appeal letters, and coordinate peer-to-peer review preparation on behalf of our client practices. This is the primary purpose for which we receive and use PHI.

  • TRICARE ECHO Navigation: We use PHI to assist military families and their treating providers in navigating the TRICARE Extended Care Health Option (ECHO) authorization process.

  • Communication with Payers: We disclose the minimum necessary PHI to insurance payers, managed care organizations, and government health programs (including Virginia Medicaid/Cardinal Care, TRICARE, Medicare, and commercial insurers) solely for the purpose of obtaining prior authorization for services ordered by our client's physicians.

  • As Required by Law: We may use or disclose PHI when required by federal or state law, including in response to a valid court order, subpoena, or law enforcement request as permitted under HIPAA.

  • To Prevent Serious Harm: We may use or disclose PHI as necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Uses and Disclosures We Will Never Make

PPO will never:

  • Sell PHI or use it for any commercial, marketing, or fundraising purpose

  • Use or disclose PHI for any purpose beyond what is necessary to perform the services contracted with a client practice

  • Share one client's patient PHI with any other client, practice, or third party

  • Use PHI for research purposes without proper authorization

  • Disclose PHI to employers or in employment-related matters

  • Access PHI for personal benefit or curiosity

Minimum Necessary Standard

In all uses and disclosures of PHI, PPO applies the HIPAA minimum necessary standard — we access, use, and disclose only the minimum amount of PHI reasonably necessary to accomplish the intended purpose. We will only request clinical documentation from client practices that is directly relevant to the specific authorization being submitted.

How We Protect Our Patients' Information

PPO has implemented comprehensive administrative, physical, and technical safeguards to protect the PHI of our clients and clients' patients, including:

  • Encrypted devices: All devices used to access PHI operate with full-disk encryption

  • Secure communications: All PHI is transmitted exclusively through HIPAA-compliant, BAA-covered channels — encrypted email (Google Workspace), HIPAA-compliant fax (Fax.Plus), and payer portal secure messaging

  • Access controls: PHI access is limited to authorized PPO personnel on a role-based, minimum-necessary basis, protected by strong passwords and multi-factor authentication

  • Secure storage: All ePHI is stored in HIPAA-compliant, BAA-covered cloud storage (Google Drive — secured business account) — never on local drives or personal accounts

  • No shared credentials: PPO never uses a client practice's own portal login credentials — we maintain our own authorized delegate credentials for every payer portal we access

  • Vendor compliance: We maintain signed BAAs with all vendors and platforms that may access PHI

  • Trained workforce: All PPO workforce members have completed HIPAA training, hold current certificates, and are bound by this notice and PPO's internal privacy and security policies

Business Associate Agreements

PPO executes a signed HIPAA Business Associate Agreement with every client practice before accessing any PHI. Our BAA defines the permitted uses and disclosures of PHI, establishes our compliance obligations, and provides a contractual framework protecting both the client practice and its patients. We will not commence services for any client without a fully executed BAA in place.

Breach Notification

In the event of a breach of unsecured PHI, PPO will notify the affected client and/or client practice promptly and in accordance with the timeframes specified in our BAA and the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). Our breach notification will include the nature of the breach, the PHI involved, the steps PPO has taken to investigate and mitigate the breach, and the corrective actions taken to prevent recurrence. The client Covered Entity, when applicable, remains responsible for notifying affected individuals and HHS as required under HIPAA.

Our HIPAA Privacy Officer

PPO has designated a HIPAA Privacy Officer who is responsible for overseeing our privacy compliance program and serving as the point of contact for all privacy-related questions, concerns, or complaints.

How to File a Privacy Complaint

If you believe PPO has violated yours or your patients' privacy rights or our privacy policies, you have the right to file a complaint with:

PPO will not retaliate against any individual or practice for filing a complaint in good faith.

Changes to This Notice

PPO reserves the right to change this Notice and to make the revised notice effective for PHI we already hold as well as PHI we receive in the future. The current version of this Notice is always available at precisionpediatricops.com and will be provided to clients and client practices upon request. The effective date at the top of this notice reflects the date the current version took effect.

Acknowledgment of Receipt

Client practices are asked to acknowledge receipt of this Notice as part of their onboarding process with PPO. A copy of this Notice is provided with every new client engagement and is available upon request at any time. We are not required by law to provide this notice to individual patients. Individual patients (not covered entities) should download a copy from our website.